When I first started learning about Active Directory, Group Policy always seemed very fickle. Sometimes I could run GPUpdate, other times I had to run /force.

As it turned out, Group Policy was always working – I just didn’t understand it. So what’s the difference between GPUpdate and GPUpdate /force? Well –

GPUpdate: Applies any policies that is new or modified

GPUpdate /force: Reapplies every policy, new and old.

So which one should I use? 99% of the time, you should only run gpupdate. If you just edited a GPO and want to see results immediately, running gpupdate will do the trick. In fact, running GPUPdate /force on a large number of computers can be damaging to your career. This is because these machines will hit a domain controller and reevaluate every GPO applicable to them.

Note: If you are looking for the remote version of GPUpdate in Active Directory Users and Computers, see this guide.

Anything else?

Since you asked, why yes there is! GPUpdate has a few other options for you to use.

/LogOff: Certain GPOS, such as Folder Redirection, can’t apply in the background. If a logoff is required, this switch will initiate it.

/Boot: If a policy, such as software installation, needs to be applied – the boot command will reboot the machine.

/Sync: Useful for changing the foreground (startup/logon) processing to synchronous.

…Enlightening…

Sarcasm aside, yes it is! You probably noticed a lack of remote support with GPUpdate. To address this, Microsoft introduced the Invoke-GPUpdate cmdlet. Here is an example:

Got an easier way to GPUpdate?

The example above might not be the most practical way of initiating a GPUpdate. Knowing this, Microsoft included the ability to start a GPUpdate remotely in the Server 2012/Windows 8 version of Group Policy Management Console.

As you can see in the picture above, right clicking on any OU will allow you to trigger a remote GPUpdate. Microsoft provided a little security with this tool by not allowing a GPUpdate at the domain level. However, this only works within Group Policy Management. Because a good bit of my work is done within Active Directory Users and Computer, I prefer this method of running a remote GPUpdate.

GPUpdate seemed like such a simple tool. As you now know, it is very powerful and completely customizable to your situation and environment. So the next time you see an administrator running an unwarranted gpupdate /force, explain the differences and let your domain controllers take a breather! And now that GPUpdate has been straightened out, have you been running GPResult remotely?

20 thoughts on “GPUpdate or GPUpdate /force? Learn the difference!”

for example there is a 100 pc in sales department do i need to open all the pc and CMD and type /gpupdate /force ? to each pc ? is there any way to make it easier ? or do really need to do it manually ?

“gpupdate” checks if the versions of GPOs in cache are of the same versions with physical GPOs and then update it if they are different.
gpupdate /force will update even if the versions are the same.

Basically, anytime GPO is changed in a usual way, the version is changed as well automatically.
However, if you go to \\YourDomain\SYSVOL\YourDomain\Policies\ and change GPO manually, the version of the GPO will remain the same. If you run gpupdate, it won’t update GPO on the client. However, if you run gpupdate /force – then it will. That is only the example, which I can think of, where the key “/force” is useful…

I’m about to move a file share this weekend and need the drive mapping applied by Group policy to be changed to all computers at startup monday morning. Do you have any suggestions or experience from that?

Will the mapping be updated on startup as the computer have been turned of more than 90 mins? (turned of the entire weekend).

Drive mappings are always processed on logon. I would recommend change the existing preferences to a delete action (with apply once and do not reapply checked). Then create a new GPP drive mapping preference pointing to the new share.

But what happens with the policy’s when removing the networkcable from a pc or even or from removing from the domain.? I guess the first option will not remove the applied policy’s but the 2nd one removes them?

If the computer is offline (but still on the domain), the policy will still apply. If the machine is removed from the domain, polices won’t apply but preferences might still apply. Here is a link explaining that:

My problem with gpupdate (with or without the /force) is that it always takes multiple reboots to kick in. I’m talking about software installation GPO’s mostly. I do it once, reboot, no change, do it again, (which is when I know it has worked b/c now it prompts to reboot) and then it works.

Wow, fast response
I just read about that with this caveat:
“This way, Group Policy will be processed synchronously. Note that this will increase the time needed to boot-up and logon.”
I’m removing an old version of Office from all my user machines in order to go to Office 365 Pro Plus (which is a major pain cuz you can’t GPO new office).
Not sure if I want to universally increase boot up and logon times plus what happens when a laptop leaves the building, does it wait for the network? (which will never appear until they VPN)